Search for packages
| purl | pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-9hq5-3usy-5fhq | Possible Object Leak and Denial of Service attack A carefully crafted `Accept` header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack. |
CVE-2016-0751
GHSA-ffpv-c4hm-3x6v |
| VCID-bjwf-uhyk-63aj | Timing attack vulnerability in basic authentication Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. You can tell you application is vulnerable to this attack by looking for `http_basic_authenticate_with` method calls in your application. |
CVE-2015-7576
GHSA-p692-7mm3-3fxg |
| VCID-d15q-6ukb-wfff | Object leak vulnerability for wildcard controller routes Users that have a route that contains the string `:controller` are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain `:controller`. |
CVE-2015-7581
GHSA-9h6g-gp95-x3q5 |
| VCID-pb5f-g4uc-r7fp | Possible Input Validation Circumvention Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations. Rails users using Strong Parameters are generally not impacted by this issue as they are encouraged to allow parameters and must specifically opt-out of input verification using the `permit!` method to allow mass assignment. |
CVE-2016-0753
GHSA-543v-gj2c-r3ch |
| VCID-thx6-usb2-kkgc | Nested attributes rejection proc bypass When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the `allow_destroy: false` option to the `accepts_nested_attributes_for` method. The `allow_destroy` flag prevents the `:reject_if` proc from being called because it assumes that the record will be destroyed anyway. However, this is not true if `:allow_destroy` is false so this leads to changes that would have been rejected being applied to the record. Attackers could set attributes to invalid values or clear all the attributes. |
CVE-2015-7577
GHSA-xrr6-3pc4-m447 |
| VCID-v3r3-bwp5-a3bn | Path Traversal The Rails gem allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a `..` in a pathname. |
CVE-2016-0752
GHSA-xrr4-p6fq-hjg7 |